Bump the npm-dependencies group across 1 directory with 15 updates

[dependabot]

Bumps the npm-dependencies group with 13 updates in the / directory:

Package	From	To
@tailwindcss/cli	4.1.17	4.1.18
esbuild	0.25.12	0.27.1
glob	11.0.3	13.0.0
rollup	4.53.2	4.53.3
@cloudflare/vitest-pool-workers	0.9.14	0.10.15
@eslint/js	9.39.1	9.39.2
@npmcli/arborist	9.1.6	9.1.9
@vitest/coverage-istanbul	3.2.4	4.0.15
@vitest/coverage-v8	3.2.4	4.0.15
eslint	9.39.1	9.39.2
lerna	9.0.0	9.0.3
prettier	3.6.2	3.7.4
vitest	3.2.4	4.0.15

Updates @tailwindcss/cli from 4.1.17 to 4.1.18

Release notes

Sourced from @​tailwindcss/cli's releases.

v4.1.18

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#19274)
• Include filename and line numbers in CSS parse errors (#19282)
• Skip comments in Ruby files when checking for class names (#19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#19243)
• Support environment API in @tailwindcss/vite (#18970)
• Preserve case of theme keys from JS configs and plugins (#19337)
• Write source maps correctly on the CLI when using --watch (#19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)
• Improve backwards compatibility for content theme key from JS configs (#19381)
• Upgrade: Handle future and experimental config keys (#19344)
• Try to canonicalize any arbitrary utility to a bare value (#19379)
• Validate candidates similarly to Oxide (#19397)
• Canonicalization: combine text-* and leading-* classes (#19396)
• Correctly handle duplicate CLI arguments (#19416)
• Don’t emit color-mix fallback rules inside @keyframes (#19419)
• CLI: Don't hang when output is /dev/stdout (#19421)

Changelog

Sourced from @​tailwindcss/cli's changelog.

[4.1.18] - 2025-12-11

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#19274)
• Include filename and line numbers in CSS parse errors (#19282)
• Skip comments in Ruby files when checking for class names (#19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#19243)
• Support environment API in @tailwindcss/vite (#18970)
• Preserve case of theme keys from JS configs and plugins (#19337)
• Write source maps correctly on the CLI when using --watch (#19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)
• Improve backwards compatibility for content theme key from JS configs (#19381)
• Upgrade: Handle future and experimental config keys (#19344)
• Try to canonicalize any arbitrary utility to a bare value (#19379)
• Validate candidates similarly to Oxide (#19397)
• Canonicalization: combine text-* and leading-* classes (#19396)
• Correctly handle duplicate CLI arguments (#19416)
• Don’t emit color-mix fallback rules inside @keyframes (#19419)
• CLI: Don't hang when output is /dev/stdout (#19421)

[3.4.19] - 2025-12-10

Fixed

• Don’t break sibling-*() functions when used inside calc(…) (#19335)

Commits

• 9b32f7c Release v4.1.18 (#19431)
• 164194d Don’t try reading from pipes or special file descriptors (#19421)
• 563a016 Only use the last value when parsing duplicate cli arguments (#19416)
• 0e8f075 Fix source map generation during when watching files on the CLI (#19373)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by malfaitrobin, a new releaser for @​tailwindcss/cli since your current version.

Updates esbuild from 0.25.12 to 0.27.1

Release notes

Sourced from esbuild's releases.

v0.27.1

• Fix bundler bug with var nested inside if (#4348)

  This release fixes a bug with the bundler that happens when importing an ES module using require (which causes it to be wrapped) and there's a top-level var inside an if statement without being wrapped in a { ... } block (and a few other conditions). The bundling transform needed to hoist these var declarations outside of the lazy ES module wrapper for correctness. See the issue for details.

• Fix minifier bug with for inside try inside label (#4351)

  This fixes an old regression from version v0.21.4. Some code was introduced to move the label inside the try statement to address a problem with transforming labeled for await loops to avoid the await (the transformation involves converting the for await loop into a for loop and wrapping it in a try statement). However, it introduces problems for cross-compiled JVM code that uses all three of these features heavily. This release restricts this transform to only apply to for loops that esbuild itself generates internally as part of the for await transform. Here is an example of some affected code:

  // Original code
  d: {
    e: {
      try {
        while (1) { break d }
      } catch { break e; }
    }
  }
  // Old output (with --minify)
  a:try{e:for(;;)break a}catch{break e}
  // New output (with --minify)
  a:e:try{for(;;)break a}catch{break e}

• Inline IIFEs containing a single expression (#4354)

  Previously inlining of IIFEs (immediately-invoked function expressions) only worked if the body contained a single return statement. Now it should also work if the body contains a single expression statement instead:

  // Original code
  const foo = () => {
    const cb = () => {
      console.log(x())
    }
    return cb()
  }
  // Old output (with --minify)
  const foo=()=>(()=>{console.log(x())})();
  // New output (with --minify)
  const foo=()=>{console.log(x())};

• The minifier now strips empty finally clauses (#4353)

  This improvement means that finally clauses containing dead code can potentially cause the associated try statement to be removed from the output entirely in minified builds:

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.27.1

• Fix bundler bug with var nested inside if (#4348)

  This release fixes a bug with the bundler that happens when importing an ES module using require (which causes it to be wrapped) and there's a top-level var inside an if statement without being wrapped in a { ... } block (and a few other conditions). The bundling transform needed to hoist these var declarations outside of the lazy ES module wrapper for correctness. See the issue for details.

• Fix minifier bug with for inside try inside label (#4351)

  This fixes an old regression from version v0.21.4. Some code was introduced to move the label inside the try statement to address a problem with transforming labeled for await loops to avoid the await (the transformation involves converting the for await loop into a for loop and wrapping it in a try statement). However, it introduces problems for cross-compiled JVM code that uses all three of these features heavily. This release restricts this transform to only apply to for loops that esbuild itself generates internally as part of the for await transform. Here is an example of some affected code:

  // Original code
  d: {
    e: {
      try {
        while (1) { break d }
      } catch { break e; }
    }
  }
  // Old output (with --minify)
  a:try{e:for(;;)break a}catch{break e}
  // New output (with --minify)
  a:e:try{for(;;)break a}catch{break e}

• Inline IIFEs containing a single expression (#4354)

  Previously inlining of IIFEs (immediately-invoked function expressions) only worked if the body contained a single return statement. Now it should also work if the body contains a single expression statement instead:

  // Original code
  const foo = () => {
    const cb = () => {
      console.log(x())
    }
    return cb()
  }
  // Old output (with --minify)
  const foo=()=>(()=>{console.log(x())})();
  // New output (with --minify)
  const foo=()=>{console.log(x())};

• The minifier now strips empty finally clauses (#4353)

  This improvement means that finally clauses containing dead code can potentially cause the associated try statement to be removed from the output entirely in minified builds:

... (truncated)

Commits

• 5e0e56d publish 0.27.1 to npm
• 5a89732 fix #4354: improve IIFE inlining for expressions
• b940218 minify: move unused expr simplification later
• c46d498 fix #4353: remove empty try/finally clauses
• 7a72735 fix #4348: bundler bug with var inside if
• 4e4e177 fix #4351: label + try + for minifier bug
• d6427c9 fix: deno release url wrong comment (#4326)
• 48e3e19 calling Symbol.for with a primitive never throws
• 4ff88d0 update decorator-tests.js snapshot
• 1877e60 calling Symbol with a primitive will never throw
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Updates glob from 11.0.3 to 13.0.0

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• 3bfb960 13.0.0
• db31a63 Split the CLI out from the main project
• 5493458 ci: remove node 20
• 3f7526c test: fix bin tests on windows (slashes)
• 2b03cca 12.0.0
• d56203d prettier config
• bb521e5 Remove --shell option where unsafe to use
• 2551fb5 11.1.0
• 47473c0 bin: Do not expose filenames to shell expansion
• bc33fe1 skip tilde test on systems that lack tilde expansion
• Additional commits viewable in compare view

Updates rollup from 4.53.2 to 4.53.3

Release notes

Sourced from rollup's releases.

v4.53.3

4.53.3

2025-11-19

Bug Fixes

• Fix an error where too many modules where flagged for having an unused external import (#6182)
• Fix an error where an assignment was wrongly tree-shaken when mutating it (#6183)

Pull Requests

• #6171: Add test-install CI job to test packaging, installation and importing of rollup package (@​antoninkriz, @​lukastaegert)
• #6174: Re-enable TypeScript test (@​lukastaegert)
• #6180: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6182: Tracing the importers chain for exported variables in external module (@​TrickyPi, @​lukastaegert)
• #6183: Check if left side is included when checking if assigning to an assignment has side effects (@​lukastaegert)

Changelog

Sourced from rollup's changelog.

4.53.3

2025-11-19

Bug Fixes

• Fix an error where too many modules where flagged for having an unused external import (#6182)
• Fix an error where an assignment was wrongly tree-shaken when mutating it (#6183)

Pull Requests

• #6171: Add test-install CI job to test packaging, installation and importing of rollup package (@​antoninkriz, @​lukastaegert)
• #6174: Re-enable TypeScript test (@​lukastaegert)
• #6180: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6182: Tracing the importers chain for exported variables in external module (@​TrickyPi, @​lukastaegert)
• #6183: Check if left side is included when checking if assigning to an assignment has side effects (@​lukastaegert)

Commits

• 998b595 4.53.3
• ef834c2 Tracing the importers chain for exported variables in external module (#6182)
• fb21d56 Check if left side is included when checking if assigning to an assignment ha...
• 4b4581d Add test-install CI job to test packaging, installation and importing of roll...
• 18ee41b fix(deps): lock file maintenance minor/patch updates (#6180)
• f0a80d1 Re-enable TypeScript test (#6174)
• See full diff in compare view

Updates tailwindcss from 4.1.17 to 4.1.18

Release notes

Sourced from tailwindcss's releases.

v4.1.18

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#19274)
• Include filename and line numbers in CSS parse errors (#19282)
• Skip comments in Ruby files when checking for class names (#19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#19243)
• Support environment API in @tailwindcss/vite (#18970)
• Preserve case of theme keys from JS configs and plugins (#19337)
• Write source maps correctly on the CLI when using --watch (#19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)
• Improve backwards compatibility for content theme key from JS configs (#19381)
• Upgrade: Handle future and experimental config keys (#19344)
• Try to canonicalize any arbitrary utility to a bare value (#19379)
• Validate candidates similarly to Oxide (#19397)
• Canonicalization: combine text-* and leading-* classes (#19396)
• Correctly handle duplicate CLI arguments (#19416)
• Don’t emit color-mix fallback rules inside @keyframes (#19419)
• CLI: Don't hang when output is /dev/stdout (#19421)

Changelog

Sourced from tailwindcss's changelog.

[4.1.18] - 2025-12-11

Fixed

• Ensure validation of source(…) happens relative to the file it is in (#19274)
• Include filename and line numbers in CSS parse errors (#19282)
• Skip comments in Ruby files when checking for class names (#19243)
• Skip over arbitrary property utilities with a top-level ! in the value (#19243)
• Support environment API in @tailwindcss/vite (#18970)
• Preserve case of theme keys from JS configs and plugins (#19337)
• Write source maps correctly on the CLI when using --watch (#19373)
• Handle special defaults (like ringColor.DEFAULT) in JS configs (#19348)
• Improve backwards compatibility for content theme key from JS configs (#19381)
• Upgrade: Handle future and experimental config keys (#19344)
• Try to canonicalize any arbitrary utility to a bare value (#19379)
• Validate candidates similarly to Oxide (#19397)
• Canonicalization: combine text-* and leading-* classes (#19396)
• Correctly handle duplicate CLI arguments (#19416)
• Don’t emit color-mix fallback rules inside @keyframes (#19419)
• CLI: Don't hang when output is /dev/stdout (#19421)

[3.4.19] - 2025-12-10

Fixed

• Don’t break sibling-*() functions when used inside calc(…) (#19335)

Commits

• 9b32f7c Release v4.1.18 (#19431)
• 820d907 Expose candidatesToAst to the language server (#19405)
• 478e959 Don’t emit color-mix fallback rules inside @keyframes (#19419)
• a5f4644 Validate named values in candidate parser (#19397)
• 229121d Canonicalization: combine text-* and leading-* classes (#19396)
• 243615e Handle backwards compatibility for content theme from JS configs (#19381)
• 7642751 Improve compatibility with special default values in JS configs (#19348)
• af48117 remove unnecessary intermediate check
• 9e436f7 Try to canonicalize any arbitrary utility to a bare value (#19379)
• 479b725 Bump Vitest to v4 (#19216)
• Additional commits viewable in compare view

Updates @cloudflare/vitest-pool-workers from 0.9.14 to 0.10.15

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.10.15

Patch Changes

• Updated dependencies [c15e99e, 31c162a, bd5f087, c6dd86f, 235d325, b17797c, b17797c, 41103f5, ea6fbec, bb47e20, 991760d]:
  • [email protected]
  • [email protected]

@​cloudflare/vitest-pool-workers@​0.10.14

Patch Changes

• Updated dependencies [af54c63, 9988cc9, ce295bf, 45480b1, 9514c9a, 94c67e8, ac861f8, 79d30d4, 56e78c8, f550b62]:
  • [email protected]
  • [email protected]

@​cloudflare/vitest-pool-workers@​0.10.13

Patch Changes

• Updated dependencies [59534ba, 7e80340]:
  • [email protected]
  • [email protected]

@​cloudflare/vitest-pool-workers@​0.10.12

Patch Changes

• Updated dependencies [2b4813b, abe49d8, b154de2, f29e699, 5ee3780, 6e63b57, 71ab562, 76f0540, 2342d2f, 5e937c1, 9a1de61, 6b38532, e4ddbc2, 2aec2b4, 695fa25, 504e258, 5a873bb, d25f7e2, 1cfae2d, e7b690b, 1d685cb, edf896d, 2b4813b, c47ad11, a977701, 9eaa9e2]:
  • [email protected]
  • [email protected]

@​cloudflare/vitest-pool-workers@​0.10.11

Patch Changes

• Updated dependencies [69f4dc3, 1133c4d, 4d61fae, d524e55, 43903a3, e496280]:
  • [email protected]
  • [email protected]

@​cloudflare/vitest-pool-workers@​0.10.10

Patch Changes

• Updated dependencies [0cf696d, 524a6e5, c922a81, bb44120, 4a158e9]:
  • [email protected]
  • [email protected]

@​cloudflare/vitest-pool-workers@​0.10.9

Patch Changes

• Updated dependencies [e5ec8cf, c758809, dfba912]:
  • [email protected]
  • [email protected]

@​cloudflare/vitest-pool-workers@​0.10.8

... (truncated)

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.10.15

Patch Changes

• Updated dependencies [c15e99e, 31c162a, bd5f087, c6dd86f, 235d325, b17797c, b17797c, 41103f5, ea6fbec, bb47e20, 991760d]:
  • [email protected]
  • [email protected]

0.10.14

Patch Changes

• Updated dependencies [af54c63, 9988cc9, ce295bf, 45480b1, 9514c9a, 94c67e8, ac861f8, 79d30d4, 56e78c8, f550b62]:
  • [email protected]
  • [email protected]

0.10.13

Patch Changes

• Updated dependencies [59534ba, 7e80340]:
  • [email protected]
  • [email protected]

0.10.12

Patch Changes

• Updated dependencies [2b4813b, abe49d8, b154de2, f29e699, 5ee3780, 6e63b57, 71ab562, 76f0540, 2342d2f, 5e937c1, 9a1de61, 6b38532, e4ddbc2, 2aec2b4, 695fa25, 504e258, 5a873bb, d25f7e2, 1cfae2d, e7b690b, 1d685cb, edf896d, 2b4813b, c47ad11, a977701, 9eaa9e2]:
  • [email protected]
  • [email protected]

0.10.11

Patch Changes

• Updated dependencies [69f4dc3, 1133c4d, 4d61fae, d524e55, 43903a3, e496280]:
  • [email protected]
  • [email protected]

0.10.10

Patch Changes

• Updated dependencies [0cf696d, 524a6e5, c922a81, bb44120, 4a158e9]:
  • [email protected]
  • [email protected]

0.10.9

... (truncated)

Commits

• d9eae49 Version Packages (#11538)
• 8672321 Version Packages (#11511)
• 0c71b87 Version Packages (#11503)
• 1b3e10d Version Packages (#11427)
• ed5186e add tests for vitest-pool-workers context exports (#11441)
• f87b057 Version Packages (#11374)
• 86eab8e Version Packages (#11356)
• 9cd9b96 Debugging vitest-pool-workers flakes (#11358)
• 9f3cfc2 Version Packages (#11334)
• e5ec8cf Bump the workerd-and-workers-types group with 2 updates (#11318)
• Additional commits viewable in compare view

Updates @eslint/js from 9.39.1 to 9.39.2

Release notes

Sourced from @​eslint/js's releases.

v9.39.2

Bug Fixes

• 5705833 fix: warn when eslint-env configuration comments are found (#20381) (sethamus)

Build Related

• 506f154 build: add .scss files entry to knip (#20391) (Milos Djermanovic)

Chores

• 7ca0af7 chore: upgrade to @eslint/[email protected] (#20394) (Francesco Trotta)
• c43ce24 chore: package.json update for @​eslint/js release (Jenkins)
• 4c9858e ci: add v9.x-dev branch (#20382) (Milos Djermanovic)

Commits

• c43ce24 chore: package.json update for @​eslint/js release
• See full diff in compare view

Updates @npmcli/arborist from 9.1.6 to 9.1.9

Release notes

Sourced from @​npmcli/arborist's releases.

arborist: v9.1.9

9.1.9 (2025-12-09)

Bug Fixes

• 0765289 #8721 handle ENOTEMPTY errors in moveFile (@​keegancsmith)

arborist: v9.1.8

9.1.8 (2025-11-25)

Bug Fixes

• b118364 #8760 undefined override set conflicts shouldn't error (@​owlstronaut)

Dependencies

• f963223 #8770 [email protected]
• f51e4aa #8770 [email protected]
• 2d15040 #8770 @npmcli/[email protected]
• 58650dc #8770 @npmcli/[email protected]

arborist: v9.1.7

9.1.7 (2025-11-19)

Bug Fixes

• 3225fa3 #8737 fix usage of path of custom registry (#8737) (@​flj2mu2)
• e9f0418 #8689 arborist: improve override conflict detection with semantic comparison (#8689) (@​Artur-)
• 05319f0 #8677 code cleanup (#8677) (@​wraithgar)
• 49a4eef #8676 use look behind regex for trailing slash stripping (#8676) (@​wraithgar)
• b1aee62 #8645 dep flag calculation (#8645) (@​liamcmitchell)

Dependencies

• 8cc9f70 #8723 [email protected]
• 59b3c6a #8723 @npmcli/[email protected]
• 6cb77df #8723 @npmcli/[email protected]
• 05ac7a7 #8723 [email protected]
• 0a74f6d #8723 [email protected]

[cloudflare-workers-and-pages]

Deploying brisbanesocialchess with    Cloudflare Pages

Latest commit:	eba6174
Status:	🚫  Build failed.

View logs

[github-actions]

Thanks for your first pull request! We appreciate your contribution.

[deepsource-io]

Here's the code health analysis summary for commits a56a50c..214897b. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
Python	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗
Shell	✅ Success		View Check ↗
Docker	✅ Success		View Check ↗
JavaScript	✅ Success		View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​vitest/​coverage-istanbul@​3.2.4 ⏵ 4.0.16				+2
	@​vitest/​coverage-v8@​3.2.4 ⏵ 4.0.16	+1		-3	-1
	esbuild@​0.25.12 ⏵ 0.27.2
	@​tailwindcss/​cli@​4.1.17 ⏵ 4.1.18	-10
	@​cloudflare/​vitest-pool-workers@​0.9.14 ⏵ 0.11.0
	lerna@​9.0.0 ⏵ 9.0.3	-1			+4
	luxon@​3.7.2
	glob@​11.0.3 ⏵ 13.0.0	+1	+16
	eslint@​9.39.1 ⏵ 9.39.2	-3			+1
	@​npmcli/​arborist@​9.1.4 ⏵ 9.1.9
	@​eslint/​js@​9.39.1 ⏵ 9.39.2				+2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Publisher changed: npm @tailwindcss/cli is now published by malfaitrobin Author: malfaitrobin From: package-lock.json → npm/@tailwindcss/[email protected] ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm @tailwindcss/node is now published by malfaitrobin Author: malfaitrobin From: package-lock.json → npm/@tailwindcss/[email protected] → npm/@tailwindcss/[email protected] ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm @tailwindcss/oxide-android-arm64 is now published by malfaitrobin Author: malfaitrobin From: package-lock.json → npm/@tailwindcss/[email protected] → npm/@tailwindcss/[email protected] ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm @tailwindcss/oxide-wasm32-wasi is now published by malfaitrobin Author: malfaitrobin From: package-lock.json → npm/@tailwindcss/[email protected] → npm/@tailwindcss/[email protected] ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm @tailwindcss/oxide-win32-arm64-msvc is now published by malfaitrobin Author: malfaitrobin From: package-lock.json → npm/@tailwindcss/[email protected] → npm/@tailwindcss/[email protected] ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm markdown-it is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: package-lock.json → npm/@11ty/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm obug Location: Package overview From: package-lock.json → npm/@vitest/[email protected] → npm/@vitest/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[sentry]

Bug: The updated vitest version ^4.0.16 is incompatible with the peer dependency range (2.0.x - 3.2.x) of @cloudflare/vitest-pool-workers@^0.11.0, which will break the test suite.
_{Severity: CRITICAL | Confidence: High}

🔍 Detailed Analysis

The pull request updates vitest to version ^4.0.16 while also using @cloudflare/vitest-pool-workers@^0.11.0. The @cloudflare/vitest-pool-workers package has a peer dependency requirement for vitest in the range of 2.0.x - 3.2.x. Since version 4.0.16 is outside this compatible range, package managers will report unmet peer dependency errors. This mismatch will cause the test suite to fail at runtime, specifically breaking tests in the packages/cfsite/ package which relies on vitest-pool-workers for Cloudflare Workers testing, thus blocking the CI pipeline.

💡 Suggested Fix

Update @cloudflare/vitest-pool-workers to a version that is compatible with vitest v4.x. If no such version is available, revert the vitest upgrade to a version within the 2.0.x - 3.2.x range to resolve the peer dependency conflict.

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L49

Potential issue: The pull request updates `vitest` to version `^4.0.16` while also using
`@cloudflare/vitest-pool-workers@^0.11.0`. The `@cloudflare/vitest-pool-workers` package
has a peer dependency requirement for `vitest` in the range of `2.0.x - 3.2.x`. Since
version `4.0.16` is outside this compatible range, package managers will report unmet
peer dependency errors. This mismatch will cause the test suite to fail at runtime,
specifically breaking tests in the `packages/cfsite/` package which relies on
`vitest-pool-workers` for Cloudflare Workers testing, thus blocking the CI pipeline.

_{Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 7625010}